WHAT IS CLAIMED IS: 
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1. A security gateway for interfacing between 
virtual private network data packets and corporate 
network packets, each data packet comprising address 
5 information, the security gateway comprising: 

a plurality of protocol modules each for processing 
packets in accordance with a different virtual private 
network protocols- 
memory for storing sequence information identifying 
10 which of the protocol modules is to process each packet 
and the order of the processing; 

a protocol discriminator for receiving data packets 
and being responsive to the address information of a 
received data packet for passing the received data 
15 packet to one or more of the protocol modules, for 

processing thereby in the sequence identified by the 
protocol sequence information. 



2 . A security gateway in accordance with claim 1 
2 0 wherein each protocol module receiving a data packet 
passes the received packet back to the protocol 
discriminator upon completion of processing. 



3 . A security gateway in accordance with claim 2 
wherein the protocol discriminator selectively sends a 
25 data packet received from one of the protocol modules to 
another of the protocol modules . 



4 . A security gateway in accordance with claim 3 
comprising a firewall interface to a corporate network 
and the protocol discriminator passes data packets to 

30 the firewall interface after processing by one or more 
of the protocol modules . 

5 . A security gateway in accordance with claim 1 
wherein one of the plurality of protocol modules 
processes virtual private network packets at a level 2 
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communication layer and another of the plurality of 
protocol modules processes virtual private network 
packets at a level 3 communication layer. 

6. A security gateway in accordance with claim 5 
5 wherein the one protocol module processes point-to-point 

tunneling protocol and layer 2 tunneling protocol. 

7. A security gateway in accordance with claim 5 
wherein the another protocol module processes packets in 
the IPSec protocol , 

10 8. A security gateway in accordance with claim 1 

comprising a packet filter responsive to address 
information in packets presented thereto for selectively 
granting and denying communication with the corporate 
network . 



15 9 . A security gateway in accordance with claim 8 

comprising a stored table of access rules and the packet 
filter responds to the access rules for selectively 
granting and denying communication with the private 
network . 



20 10. In a security gateway for interfacing between 

virtual private network packets and corporate network 
packets, each packet comprising address information and 
a plurality of protocol modules each for processing 
packets in accordance with a different virtual private 

25 network protocol, the method comprising: 

storing protocol sequence information identifying 
which of the protocol modules is to process each packet 
and the order of the processing; 

receiving data packets and responsive to addressing 

3 0 information of a received data packet, sending the 
received data packet to one or more of the protocol 
modules, for processing thereby in the sequence 
identified by the protocol sequence information. 
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11. A method in accordance with claim 10 
comprising accumulating the protocol sequence 
information during authentication of one or more 
communication request packets. 

5 

12. A method in accordance with claim 10 
comprising processing virtual private network packets 
at a level 2 communication layer in one of the plurality 
of protocol modules and processing virtual private 

10 network packets at a level 3 communication layer in 
another of the plurality of protocol modules. 

13. A method in accordance with claim 10 
comprising selectively granting and denying 
communication with the corporate network. 

15 14 . A method in accordance with claim 13 

comprising storing a table of access rules upon which 
granting and denying communication with the private 
network is based. 

15. A method of operating a security gateway in a 

2 0 virtual private network in which a user is assigned an 

IP address on a per session basis, the method 
comprising: 

receiving at the security gateway a network packet 
and ascertaining from the packet the assigned IP address 
25 and the identity of the user initiating the packets- 
identifying from storage at the security gateway 
rules and policies specifying permissions for the 
identified user to communicate and VPN protocols for 
packets from the identified user; 
30 binding a portion of the rules and policies for the 

identified user to the assigned IP address of the user; 

processing received packets in a plurality of 
protocol modules in accordance with the identified VPN 
protocols; and 

3 5 controlling virtual packet network security 
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functions for packets from the user under direction of 
data in the rules and policies bound to the assigned IP 
address of the user. 



16. A method in accordance with claim 15 wherein 
5 the rules and policies comprise data defining the 

security associations for communication between the user 
and the security gateway. 

17. A method in accordance with claim 15 wherein 
the rules and policies comprise data for controlling 

10 access by the user to processes and data on a private 
network . 



18 . A method in accordance with claim 15 wherein 
the identifying step comprises negotiating VPN protocol 
attributes between the user and the security gateway. 
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